How to Disable MFA in Office 365 Quickly with PowerShell

There are different reasons why you might want to disable MFA in Office 365. A user may have lost their phone or you want to migrate to a different MFA system. No matter what the reason is, we can quickly disable MFA for single or multiple users in Microsoft 365.

A recently had a user who lost his phone and wasn’t able to work until we received the new sim card. In these kinds of situations, we will need to disable MFA in Office 365 temporarily for the user, allowing him to register a new device.

In this article, I will explain the different options when it comes to remove MFA in Office 365, using PowerShell and the Microsoft 365 Admin Center.

Disable MFA in Office 365 with PowerShell

In most situations, you only want to disable MFA temporarily so the user is able to log in again and register a new device. In this case, we are not actually disabling MFA, but we are going to remove the authentication methods.

This way, the user can sign in again, after which Office 365 will force the user to set up MFA again.

Step 1 – Connect to Msol-Service

The first step is to connect to the Msol-Service in PowerShell:

Connect-MsolService

# If you don't have the MsolService module installed, then install it with:
Install-Module MSOnline

Step 2 – Get the user and remove authentication methods

We can now lookup the user and remove the authentionmethods. We do this by setting an empty list for the authention methods.

Get-MsolUser -UserPrincipalName [email protected] | Set-MsolUser -StrongAuthenticationMethods @()

The user can now log in again into Office 365. After entering the username and password the user is requested to enter more information to set up the MFA again.

If you want to disable MFA temporarily for all users you can simply change the Get-MsolUser cmdlet:

Get-MsolUser -All | Set-MsolUser -StrongAuthenticationMethods @()

Completely Disable MFA for a Single User in Office 365

It’s also possible to completely disable MFA for a user. I don’t recommend to keep the MFA disabled for a longer period. In some case you might need to turn it off for a couple of days until the user receive a new phone, for example.

For this we are also going to use PowerShell, which I personally find faster to work with then navigating through the admin center.

First, connect to the Microsoft Online Service

Connect-MsolService

# If you don't have the MsolService module installed, then install it with:
Install-Module MSOnline

Then we can remove the strong authentication requirements for the user in question:

Get-MsolUser -UserPrincipalName [email protected] | Set-MsolUser -StrongAuthenticationRequirements @()

The user can now log in to the Microsoft 365 service without the needs for MFA authentication. To enable MFA again you can either use the admin center or this PowerShell script.

Again, if you want to disable it for all users, simply change the Get-MsolUser cmdlet:

Get-MsolUser -All | Set-MsolUser -StrongAuthenticationRequirements @()

Using the Microsoft 365 Admin Center to disable MFA

If you don’t like to use PowerShell then it’s also possible to disable MFA in Office 365 through the Microsoft 365 Admin Center. The downside is that is sometimes takes a couple of minutes before it’s processed, but that is not a big deal.

  1. Open the Microsoft 365 Admin Center
  2. Expand Users and click on Active Users
  3. Click on Multi-Factor Authentication
Microsoft 365 Active Users
  1. Select the user for which you want to disable MFA
  2. Click on Disable on the right side, below Quick Steps
Disable MFA in Office 365
Disable MFA in Office 365

Wrapping Up

Using PowerShell you can quickly disable MFA in Office 365, but keep in mind that accounts without MFA are vulnerable for phishing attacks. You can now also improve the MFA security by requiring a number validation or by showing the request location, read more about these new features in this article.

If you want to check the MFA status of your users then make sure you read this article which includes a free script to get and export the MFA status of all or a single users.

If you have questions, then just drop a comment below.

Leave a Comment

0 Shares
Tweet
Pin
Share
Share